I have just finished the AIO CEH book and am working with some of the tools and scans mentioned in the book.

In the book, it is mentioned that an Nmap Null scan (-sN) does not work on Windows, because it does not conform to an RFC. Yet it says that Linux does conform to this RFC and therefor a Null scan will work on Linux.

To test this I fired up a Windows XP and 2003 VM, and metasploitable. I then started Wireshark and did a Null scan on each one.

A Null scan is not supposed to return a reset packet when the port is open, and it will return one when a port is closed. This should tell you what ports are open. The book says this scan will not work with Windows and that it was designed for Linux boxes. No matter what OS I scan, RST packets ARE returned. Also, no ports are shown as open on any box, even when there ARE open ports.

Here is an output sample of a Linux box:All 1000 scanned ports on Dalobo's-PC (192.168.56.41) are open|filtered

Am I misunderstanding something here? Shouldn't the Windows box not return any RST packets thus showing all ports as open? Why does the linux box not show any open ports? Why is Windows sending RST packets?

Not all systems follow RFC 793 to the letter. A number of them send RST regardless of whether the port is open or not. The result is all ports are labeled as being closed. Some OS that do this are Windows, Cisco devices and IBM OS/400.

These three scan types are exactly the same in behavior except for the TCP flags set in probe packets. If a RST packet is received, the port is considered closed, while no response means it is open|filtered. The port is marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received.

I am getting an open | filtered while getting RST packets. Hence the confusion.

This scan does work against most Unix-based systems though. Another downside of these scans is that they can't distinguish open ports from certain filtered ones, leaving you with the response open|filtered. <-- is this what I am seeing? But some of the ports are open...

When I scan my router, it works correctly. Turning telnet on and then doing a Null scan illicit no RST packet. That means it is open, and it does show up as open.

PORT STATE SERVICE23/tcp open telnet

So Windows should always show open | filtered or "All open" -> Hence the does not work with Windows

The Linux that is running in Metasploitable is Ubuntu i think. Ubuntu must do the same thing as Windows. The Linux on my router must work the "normal way" and that is why telnet shows up. (Along with a few others.)